VDB
CVE-2024-7594
CVE-2024-7594
PUBLISHED
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.
EPSS 0.60% · 70.0th percentile
Risk Scores
EPSS Score
0.60%
70.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | vault | 1.7.7 |
| Bitnami | vault | 1.7.7 |
Exploit Intelligence
- CIRCL published-proof-of-concept: CVE-2024-7594 (circl-sighting)
- CIRCL seen: CVE-2024-7594 (circl-sighting)
- https://security.netapp.com/advisory/ntap-20250110-0007/ (circl)
- https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251 (circl)
Timeline
- Sep 26, 2024 CVE Published
- Sep 26, 2024 PoC Published
- Sep 27, 2024 EPSS Score
- Oct 5, 2024 Coalition ESS Score
- Oct 16, 2024 EPSS Score
- Nov 5, 2024 EPSS Score
- Nov 24, 2024 EPSS Score
- Dec 14, 2024 EPSS Score
- Jan 2, 2025 EPSS Score
- Jan 10, 2025 PoC Published
- Jan 22, 2025 EPSS Score
- Feb 7, 2025 Coalition ESS Score